Active Directory Attacks for Red and Blue Teams – Advanced Edition
This training is also available as Attacking and Defending Active Directory - Advanced Edition as a bootcamp and on-demand class
Overview & Course Content
More than 95% of Fortune 500 companies use Active Directory! Enterprises are managed using Active Directory (AD) and it often forms the backbone of the complete enterprise network. Therefore, to secure an enterprise from an adversary, it is inevitable to secure its AD environment. To secure AD, you must understand different techniques and attacks used by adversaries against it. Often burdened with maintaining backward compatibility and interoperability with a variety of products, AD environments lack ability to tackle latest threats.
This training is aimed towards attacking modern AD with focus on OPSEC and Stealth. The training is based on real world penetration tests and Red Team engagements for highly secured environments. Some of the techniques used in the course:
-
Introduction OPSEC and Stealth used in the class.
-
Attack methodology and tradecraft
-
Extensive AD Enumeration (Attacks and Defense)
-
Trust and Privileges Mapping
-
Local Privilege Escalation
-
Credential Replay Attacks with MDI bypass (Over-PTH, Token Replay etc.)
-
Domain Privilege Escalation (User Hunting, Delegation issues, LAPS abuse, gMSA abuse, SPN Hijacking, Shadow Credentials and more)
-
Dumping System and Domain Secrets with EDR bypass
-
Advanced Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more)
-
Advanced cross forest trust abuse (Lateral movement across forest, PrivEsc and more)
-
Persistence (WMI, GPO, Domain and Host ACLs and more)
-
Attacking Azure integration and components
-
Abusing trusts for MS products (AD CS, SQL Server etc.)
-
Monitoring AD using Defender 365 and Elastic Dashboard
-
Defenses (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, MDE EDR Microsoft Defender for Identity etc.)
-
Bypassing Defenses (MDE, MDI and Elastic)
The course is a mixture of fun, demos, exercises, hands-on and lecture. You start from compromise of a user desktop and work your way up to multiple forest pwnage. The training focuses more on methodology and techniques than tools.
Attendees will get free two months access to an Active Directory environment comprising of multiple domains and forests, during and after the training and a Certified Red Team Expert Exam (CRTE) certification attempt.
Who should take this course?
Red teamers and penetration testers who want to improve their Red Team and Active Directory attack skills should take this class. Blue teamers, AD administrators and security professionals who want to understand the approach and techniques of adversaries should take this class.
What's Included
-
Access to a lab environment (One/Two/Three months) with updated Server 2019 machines. Lab can be accessed using a web browser or VPN.
-
A ready to use student VM in the cloud that has all the tools and Sliver C2 pre-installed.
-
Life time access to all the learning material (including course updates).
-
14+ hours of video course with English captions.
-
Course slides.
-
Two lab manuals. One for solving the lab using standalone tools. Second for solving the labs using C2.
-
Walk-through videos.
-
One exam attempt for the Certified Red Team Expert (CRTE) certification.
-
Life time access to all the learning material (including course updates).
What will you Learn?
The Advanced Red Team Lab enables you to:
-
Practice various attacks in a fully patched real world Windows environment with Server 2019 and SQL Server 2017 machines.
-
Abuse Active Directory and Windows features like LAPS, gMSA, AD CS and more
-
Execute and visualize the attack path used by the modern adversaries.
-
Attack Azure AD Integration (Hybrid Identity).
-
Try new TTPs in a fully functional AD environment.
-
Understand defenses and their bypasses for (JEA, PAW, LAPS, Selective Authentication, Deception, App Allowlisting, etc.)
-
Bypassing defenses like Windows Defender, Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Identity (MDI).
Prerequisites for the course
-
Basic understanding of red teaming/penetration testing or blue teaming/security administration of AD environment
-
Ability to think like an adversary and inclination towards abusing features of AD rather than exploits.
-
If you are new to Red Teaming, Enterprise security and Active Directory security, you may like to go for the beginner's level course - CRTP.
Top 3 takeaways
1
The lab environment is Server 2025, fully patched and contains defenses like MDE, MDI and Elastic stack. The focus in on feature abuse and not on patchable vulnerabilities. Therefore, whatever the students learn in this is immediately usable and useful for many years.
2
The labs can be completed with or without a C2 framework, and we provide learning materials to support both approaches. The students get lab access for two months after the class. This helps students in utilizing the lab to the maximum.
3
The course is based on our real word red team operations. The course authors are world-renowned experts in red teaming and active directory security.
About the Trainer
Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com. As a global leader in cybersecurity education, he has nurtured the field, helping bring it from niche groups to the mainstream.
Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.
He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences.
He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.